From 03bd0f0d0945a80f5af19d06d37ff31a52d294ed Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Sat, 5 Sep 2020 15:52:45 -0700
Subject: Update SameSite configuration

---
 src/main/java/org/traccar/web/WebServer.java | 35 +++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 8 deletions(-)

(limited to 'src/main/java/org/traccar/web/WebServer.java')

diff --git a/src/main/java/org/traccar/web/WebServer.java b/src/main/java/org/traccar/web/WebServer.java
index 3f2a24815..44d78cd27 100644
--- a/src/main/java/org/traccar/web/WebServer.java
+++ b/src/main/java/org/traccar/web/WebServer.java
@@ -15,6 +15,7 @@
  */
 package org.traccar.web;
 
+import org.eclipse.jetty.http.HttpCookie;
 import org.eclipse.jetty.http.HttpMethod;
 import org.eclipse.jetty.http.HttpStatus;
 import org.eclipse.jetty.proxy.AsyncProxyServlet;
@@ -45,6 +46,7 @@ import org.traccar.config.Keys;
 
 import javax.servlet.DispatcherType;
 import javax.servlet.ServletException;
+import javax.servlet.SessionCookieConfig;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.File;
@@ -76,12 +78,8 @@ public class WebServer {
 
         ServletContextHandler servletHandler = new ServletContextHandler(ServletContextHandler.SESSIONS);
 
-        int sessionTimeout = config.getInteger("web.sessionTimeout");
-        if (sessionTimeout > 0) {
-            servletHandler.getSessionHandler().setMaxInactiveInterval(sessionTimeout);
-        }
-
         initApi(config, servletHandler);
+        initSessionConfig(config, servletHandler);
 
         if (config.getBoolean("web.console")) {
             servletHandler.addServlet(new ServletHolder(new ConsoleServlet()), "/console/*");
@@ -167,10 +165,31 @@ public class WebServer {
                 SecurityRequestFilter.class, CorsResponseFilter.class, DateParameterConverterProvider.class);
         resourceConfig.packages(ServerResource.class.getPackage().getName());
         servletHandler.addServlet(new ServletHolder(new ServletContainer(resourceConfig)), "/api/*");
+    }
 
-        if (config.getBoolean(Keys.WEB_SAME_SITE_COOKIE_NONE)) {
-            servletHandler.getServletContext().getSessionCookieConfig().setSecure(true);
-            servletHandler.getServletContext().getSessionCookieConfig().setComment("__SAME_SITE_NONE__");
+    private void initSessionConfig(Config config, ServletContextHandler servletHandler) {
+        int sessionTimeout = config.getInteger("web.sessionTimeout");
+        if (sessionTimeout > 0) {
+            servletHandler.getSessionHandler().setMaxInactiveInterval(sessionTimeout);
+        }
+
+        String sameSiteCookie = config.getString(Keys.WEB_SAME_SITE_COOKIE);
+        if (sameSiteCookie != null) {
+            SessionCookieConfig sessionCookieConfig = servletHandler.getServletContext().getSessionCookieConfig();
+            switch (sameSiteCookie.toLowerCase()) {
+                case "lax":
+                    sessionCookieConfig.setComment(HttpCookie.SAME_SITE_LAX_COMMENT);
+                    break;
+                case "strict":
+                    sessionCookieConfig.setComment(HttpCookie.SAME_SITE_STRICT_COMMENT);
+                    break;
+                case "none":
+                    sessionCookieConfig.setSecure(true);
+                    sessionCookieConfig.setComment(HttpCookie.SAME_SITE_NONE_COMMENT);
+                    break;
+                default:
+                    break;
+            }
         }
     }
 
-- 
cgit v1.2.3